[Oisf-users] SURICATA VLAN unknown type
Victor Julien
lists at inliniac.net
Mon Mar 31 08:13:42 EDT 2014
On 03/31/2014 02:11 PM, PENZ Robert wrote:
> Hi!
>
>
>
> Using Suricata 2.0 rc2 (will update today to the final version) I get
> many following entries, but most packets are parsed correctly:
>
>
>
> 03/31/2014-13:15:38.049215 [**] [1:2200067:1] SURICATA VLAN unknown
> type [**] [Classification: (null)] [Priority: 3] [**] [Raw pkt: FF FF FF
> FF FF FF 38 EA A7 91 D7 11 81 00 09 F8 08 06 00 01 08 00 06 04 00 01 38
> EA A7 91 D7 11 ]
>
> 03/31/2014-13:15:38.049226 [**] [1:2200067:1] SURICATA VLAN unknown
> type [**] [Classification: (null)] [Priority: 3] [**] [Raw pkt: FF FF FF
> FF FF FF 38 EA A7 91 D7 11 81 00 05 48 08 06 00 01 08 00 06 04 00 01 38
> EA A7 91 D7 11 ]
>
> 03/31/2014-13:15:38.733961 [**] [1:2200067:1] SURICATA VLAN unknown
> type [**] [Classification: (null)] [Priority: 3] [**] [Raw pkt: 00 04 96
> 51 97 A1 38 EA A7 91 D7 11 81 00 05 48 08 06 00 01 08 00 06 04 00 01 38
> EA A7 91 D7 11 ]
>
> 03/31/2014-13:15:40.542186 [**] [1:2200067:1] SURICATA VLAN unknown
> type [**] [Classification: (null)] [Priority: 3] [**] [Raw pkt: FF FF FF
> FF FF FF 38 EA A7 31 30 A5 81 00 06 74 08 06 00 01 08 00 06 04 00 01 38
> EA A7 31 30 A5 ]
>
> 03/31/2014-13:15:40.542252 [**] [1:2200067:1] SURICATA VLAN unknown
> type [**] [Classification: (null)] [Priority: 3] [**] [Raw pkt: FF FF FF
> FF FF FF 38 EA A7 31 30 A5 81 00 0C 50 08 06 00 01 08 00 06 04 00 01 38
> EA A7 31 30 A5 ]
>
> 03/31/2014-13:15:44.444643 [**] [1:2200067:1] SURICATA VLAN unknown
> type [**] [Classification: (null)] [Priority: 3] [**] [Raw pkt: FF FF FF
> FF FF FF 38 EA A7 91 D7 11 81 00 0C 50 08 06 00 01 08 00 06 04 00 01 38
> EA A7 91 D7 11 ]
>
> 03/31/2014-13:15:44.444654 [**] [1:2200067:1] SURICATA VLAN unknown
> type [**] [Classification: (null)] [Priority: 3] [**] [Raw pkt: FF FF FF
> FF FF FF 38 EA A7 91 D7 11 81 00 07 A0 08 06 00 01 08 00 06 04 00 01 38
> EA A7 91 D7 11 ]
>
> 03/31/2014-13:15:44.444665 [**] [1:2200067:1] SURICATA VLAN unknown
> type [**] [Classification: (null)] [Priority: 3] [**] [Raw pkt: FF FF FF
> FF FF FF 38 EA A7 91 D7 11 81 00 08 CC 08 06 00 01 08 00 06 04 00 01 38
> EA A7 91 D7 11 ]
>
> 03/31/2014-13:15:44.444676 [**] [1:2200067:1] SURICATA VLAN unknown
> type [**] [Classification: (null)] [Priority: 3] [**] [Raw pkt: FF FF FF
> FF FF FF 38 EA A7 91 D7 11 81 00 09 F8 08 06 00 01 08 00 06 04 00 01 38
> EA A7 91 D7 11 ]
>
> 03/31/2014-13:15:44.444687 [**] [1:2200067:1] SURICATA VLAN unknown
> type [**] [Classification: (null)] [Priority: 3] [**] [Raw pkt: FF FF FF
> FF FF FF 38 EA A7 91 D7 11 81 00 05 48 08 06 00 01 08 00 06 04 00 01 38
> EA A7 91 D7 11 ]
>
> 03/31/2014-13:15:44.444747 [**] [1:2200067:1] SURICATA VLAN unknown
> type [**] [Classification: (null)] [Priority: 3] [**] [Raw pkt: FF FF FF
> FF FF FF 38 EA A7 91 D7 11 81 00 06 74 08 06 00 01 08 00 06 04 00 01 38
> EA A7 91 D7 11 ]
>
>
>
> But the packets look valid for me. e.g. the last one.
>
>
>
> FF FF FF FF FF FF Broadcast
>
> 38 EA A7 91 D7 11 Source MAC
>
> 81 00 TPID = 0x8100
>
> 06 74 VLAN ID = 1652
>
> 08 06 EtherType/Size
>
> 00 01 08 00 06 04 00 01 38 EA A7 91 D7 11 payload
>
>
>
> What do I miss?
It's probably Suricata that is missing something: support for a specific
packet type :)
Are you able to (privately) share a small pcap (single packet would be
enough)?
As a work around, you can simply disable rule 2200067.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list